CVE-2023-43665

NameCVE-2023-43665
DescriptionIn Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesELA-1101-1
Debian Bugs1053475

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)jessie, jessie (lts)1.7.11-1+deb8u17vulnerable
stretch (security)1:1.10.7-2+deb9u17vulnerable
stretch (lts), stretch1:1.10.7-2+deb9u23fixed
buster, buster (lts)1:1.11.29-1+deb10u12vulnerable
buster (security)1:1.11.29-1+deb10u11vulnerable
bullseye (security), bullseye2:2.2.28-1~deb11u2vulnerable
bookworm (security), bookworm3:3.2.19-1+deb12u1vulnerable
sid, trixie3:4.2.16-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosourcestretch1:1.10.7-2+deb9u22ELA-1101-1
python-djangosource(unstable)3:4.2.6-11053475

Notes

[bookworm] - python-django <postponed> (Minor issue, fix along in future update)
[bullseye] - python-django <postponed> (Minor issue, fix along in future update)
[buster] - python-django <postponed> (Minor issue, fix along in future update)
https://www.openwall.com/lists/oss-security/2023/10/04/6
https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
https://github.com/django/django/commit/17b51094d778b421bb2b3aae0c270894b050455d (main)
https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473 (4.2.6)
https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5 (3.2.22)
[jessie] - python-django <postponed> (Minor issue, fix along in future update)

Search for package or bug name: Reporting problems